-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] IAM Users #74
Comments
RFC: IAM User Management in DLZOverviewThis RFC outlines the approach for managing IAM users within the DLZ using CDK. The goal is to ensure adherence to the Principle of Least Privilege, providing only the permissions required for specific tasks. The workload teams are not responsible for managing IAM users, and all user-related actions are centralized within the DLZ. IAM User Management Responsibility MatrixDLZ:
Workload Teams:
Key Guidelines for IAM User Creation and Management1. User Creation
2. User Group and Permission Sets
3. Principle of Least Privilege
4. Security Controls
Security Concerns and Mitigation1. Credential Leakage
2. Resource Misuse
Code ImplementationThe following configuration demonstrates the implementation of IAM users and groups in DLZ configuration file: iamUsers: {
users: [
{ userName: 'user1', name: 'User1' },
{ userName: 'user2', name: 'User2' },
],
userGroups: [
{
name: 'admin-access-permission-set',
managedPolicyArns: ['arn:aws:iam::aws:policy/AdministratorAccess'],
},
{
name: 's3-only-access',
inlinePolicyStatements: [
new iam.PolicyStatement({
actions: ['s3:ListBucket', 's3:GetObject'],
resources: [
'arn:aws:s3:::specific-bucket',
'arn:aws:s3:::specific-bucket/*',
],
}),
],
},
],
userGroupAssociation: [
{
name: 'admin-access-group',
userNames: ['User1'],
permissionSetName: 'admin-access-permission-set',
},
{
name: 's3-access-group',
userNames: ['User2'],
permissionSetName: 's3-only-access',
},
],
} ConclusionBy centralizing IAM user management and applying strict restrictions, the DLZ ensures compliance with best practices while maintaining robust security. All IAM-related configurations will adhere to the principles outlined in this RFC to minimize risks and ensure proper governance. |
Thanks. Actually, I think we should give them the option to define policies and roles while we are at it. So I'm proposing a structure like this: iam: {
accountAlias: "datachef",
passwordPolicy: ...
policies: [ PolicyProps ]
roles: [ RoleProps ]
users: [
UserProps
]
userGroups: [ {
...GroupProps
users: [ string ] // loosely typed, match the name of the users prop
} ]
} The resources should be created in this order: policies, roles, users, userGroups so that if a role references a policy, that policy would have been created. So we need to add dependencies between these. Then we should also create a You had a good point about compliance. There are Security Hub controls/Config rules that we should revisit. |
Placeholder
The text was updated successfully, but these errors were encountered: